In order to clean a malware infection, the first thing we need to know is which files have been compromised. At Sucuri, we use several techniques including whitelists, blacklists, and anomaly checks. In this blog post, we’re going to be focusing on how core integrity checks are a key component of the whitelisting model and how this is aids in effectively detecting malware.
Cryptographic Hash Functions and Checksums
How Sucuri Verifies Known Good Files
To take it a step further in identifying that all malware has been detected, we use cryptographic hashing functions such as MD5 and Sha-1 to calculate the checksums of healthy CMS core files and add those to our whitelist database.
During routine scans, we verify the website files against the checksums stored in our whitelist database. After identifying which files have been modified, we perform automatic and manual inspections that are noted in order to handle during the cleanup process. Sucuri customers can rely on our incident response team to restore those infected files to their clean state.
Note: Because checksum verifications alone are not enough to detect malicious files, we use them as another layer to detect Indicators of Compromise (IoC). All of our detection mechanisms work together to provide a more complete visibility of malware infections.
Our WordPress plugin uses a similar mechanism that we will go over in a moment.
By utilizing hashing functions, it allows us to perform more verifications because their job is to map content of any size into fixed-size content (aka checksum or hash value). And the job of a cryptographic hashing function is to make sure the checksum returned by the hashing function is 100% dependent on the content passed as input.
- The sha-1 hash for “hello world!” – 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
- The sha-1 hash for “world! hello” – same characters, same length– e79122583f6dcb50d733ddfce66c366a38ddd79f
For a small change in order, the hashing values are totally different though it’s impossible to spot any relation between the two.
According to Wikipedia, an ideal cryptographic hashing function should have these five properties:
- It is deterministic so the same message always results in the same hash
- It is quick to compute the hash value for any given message
- It is infeasible to generate a message from its hash value except by trying all possible messages
- A small change to a message should change the hash value so extensively that the new hash value appears uncorrelated with the old hash value
- It is infeasible to find two different messages with the same hash value
This is the reason why the checksum returned by a trusted cryptographic hashing function is reliably used to determine data integrity.
Sucuri Security WordPress Plugin
By far, WordPress is the most attacked CMS platform out there and the reason for this is that it holds a market share of 31.6% for all websites. We support the WordPress community with a free plugin that includes some really useful functions including file integrity monitoring.
For the file integrity monitoring function of our plugin, we compare the md5sum (checksum) of the core files in the current site with the hashes hosted on the WordPress repository.
In addition to monitoring the integrity of the core files, our plugin offers a hassle-free way to deal with added, modified, and deleted files. Let’s see these scenarios:
- Added files. If a file is not present on the core files of the WordPress version of your site, it’ll mark, added. The plugin also offers you the option to delete such files or to maintain them. The decision to add is up to you. It should be based on whether you uploaded the file or not. Unrecognized added files are a red flag for security breaches.
- Deleted files. If missing a core file, it’ll allow you to retrieve it from the official WordPress repository. Deleted files are not as common as added files but they do happen from time to time. Owners or another webmaster mistakenly delete files. Or a poorly executed attack is another way.
- Modified files. If a website file and a WordPress repository file are the same but its content is different, it’s modified. WordPress (and most CMSs) don’t recommend modifying core files. Changes can be lost during future updates. Modified core files are also a red flag for security breaches. Our plugin offers the option to restore the content of modified files with the original content from the WordPress repository.
Note: The plugin only checks content under the document root directory, wp-includes and wp-admin. Files under the content directory (or other directories) will not be included during a core integrity check.
Cyber attackers make creative use of automation to perform their attacks. At Sucuri, we don’t want to miss a thing. That’s why we also make use of automatic processes to detect malware infections more effectively.
To take advantage of automatic core integrity verifications of your website’s files, use our complete Website Security Platform, which also includes a Website Application Firewall (WAF) that will protect you from getting malware in the first place!